Hi Peter, In my opinion static option is non-necessary if you don't have DHCP snooping database. Actually I tried it with and without it and received the same results, namely I had an ARP ACL with three IP to MAC mappings and referenced it in the ARP inspection statement.
arp access-list ARP-ACL permit ip host 10.0.0.1 mac host 0023.ebd5.f31f log permit ip host 10.0.0.100 mac host 000c.2944.79f0 log permit ip host 10.0.0.254 mac host 0023.3448.0e47 log ip arp inspection vlan 100 ip arp inspection filter R1-ARP-ACL vlan 100 static My note: it's not enough to have just "ip arp inspection filter ARP-ACL vlan 100" statement. You have to enable "ip arp inspection vlan 100" globally. Without it there's no ARP inspection at all. The switch would say: SW2#sh ip arp inspec Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled No active or enabled vlans on switch Eugene From: Peter Jørgensen <[email protected]<mailto:[email protected]>> Date: Friday, August 24, 2012 4:55 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [OSL | CCIE_Security] DHCP Snooping in NON-DHCP Enviroment Hi CCIE candidates In a non-DHCP enviroment we should skip all the DHCP snooping config part because we have no DHCP snooping database. Then the arp inspection config should look like this: arp access-list ARP-LIST permit ip host 10.10.10.10 mac host 1111.2222.3333 (allow non-dhcp client) ! ip arp inspection filter ARP-LIST vlan 10 static (only validate against the ARP ACL)* * There is another option for the DAI filter and that is "static". If we applied this argument to the command, DAI would only check the ARP ACL and not fallback to the DHCP snooping database. My question is: Should we use the "static" keyword when we use arp inspection in non-dhcp enviroment? I think not....because we have no snooping database to fallback to. I think the static keyword is only neeed in a mixed enviroment - i.e. an enviroment with both DHCP hosts and static assigned hosts and with DHCP snooping and DAI enabled. Please correct me if my understanding is wrong.... Peter Jørgensen
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
